Configure RSA Archer to use Elasticsearch

Now it is time to configure RSA Archer to use Elasticsearch. Open up the Archer Control Panel and go to the Installation Settings > General tab and scroll down to the Elasticsearch section.

Check the Enable Elasticsearch box, then type in the Cluster Name in the Cluster Name field, then click Add New. The URL will to be the same as what was used to connect using the browser.

Click OK, then click on the blue + to add this as a cluster. It will now appear in the dropdown.

Click the Test Availability link. You should see a success message:

A failure comes with an error popup. If you don't see that, then make sure your ACP window is maximized, otherwise it can get dropped due to browser scaling issues. Also, check for any firewalls between the Elasticsearch Server and Archer. The log file has index in the name and is in the log folder defined in the ACP.

Save the configuration changes and go to the General tab in your Archer instance. Scroll down to the Search Index section.

Next to Elasticsearch, check the box labeled Check this flag to use Elasticsearch as a search data source.

Select the Indexing Server from the dropdown and the cluster you just added. This indexing server will be the server running the Archer Indexing Service, not the Elasticsearch server.

Check the Enable Authentication box only if you are securing your Elasticsearch Cluster with something like X-pack or Search Guard. Out of the box, it is not enabled and it is not required here.

Click Save and you will be prompted to rebuild the index.

Press the Rebuild Elasticsearch index button which is located in the top right hand corner of the screen.

Read the popup message and click yes to continue

Click the report link to the right of the Rebuild Elasticsearch Index button to see the progress.

Hit Refreshto update the progress. Once the rebuild shows completed you are done.

You can also use Elasticsearch Head to view the Indexes.

Notes

RSA Archer follows a bring-your-own model for Elasticsearch, meaning that we support integrating with the Elasticsearch deployment you already have. We do work with the basic (free) license and the intent of this guide is not to replace any documentation, guidance or support provided by the Elastic.

RSA Archer 6.5 supports Elasticsearch version 6.2.4 and RSA Archer 6.6 supports 6.6.1. The plugin provided for each will only work with that specific version.

Cloud-provided Elasticsearch services are not supported at this time.

Elasticsearch does not require authentication for connections by default and RSA Archer does not require it. X-Pack Security from Elastic and Search-Guard are possible solutions.

Elasticsearch hardware recommendations should be followed strictly. Records are added to a queue in batches of 100 and pulled from the queue to be indexed. There is a 1,000 record cap to the queue and if the indexing rate is insufficient the overflow records will be rejected, which will show up as errors in the logs and the index rebuild report. The system does keep track of records that are not indexed and will retry them at the end, but the errors could raise questions, especially during the initial index build.

The steps in this guide are for RSA Archer 6.6, but will be very similar for 6.5. The Windows version was used in these examples. Please consult with Elastic for detailed instructions.